WordPress.org

Make WordPress Core

Changeset 13489


Ignore:
Timestamp:
02/28/2010 07:12:05 AM (10 years ago)
Author:
dd32
Message:

Fix slashing in Custom fields values. Allow for the meta_key to be updated without changing meta_value. Use wpdb::insert in add_meta(). Fixes #12418

Location:
trunk/wp-admin
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r13473 r13489  
    855855            'supplemental' => array('postid' => $pid)
    856856        ) );
    857     } else {
     857    } else { // Update?
    858858        $mid = (int) array_pop(array_keys($_POST['meta']));
    859859        $key = $_POST['meta'][$mid]['key'];
     
    863863        if ( !current_user_can( 'edit_post', $meta->post_id ) )
    864864            die('-1');
    865         if ( $meta->meta_value != stripslashes($value) ) {
     865        if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
    866866            if ( !$u = update_meta( $mid, $key, $value ) )
    867867                die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
  • trunk/wp-admin/includes/post.php

    r13453 r13489  
    598598
    599599        wp_cache_delete($post_ID, 'post_meta');
    600 
    601         $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) );
     600        $wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) );
    602601        do_action( 'added_postmeta', $wpdb->insert_id, $post_ID, $metakey, $metavalue );
    603602
     
    691690 *
    692691 * @param unknown_type $meta_id
    693  * @param unknown_type $meta_key
    694  * @param unknown_type $meta_value
     692 * @param unknown_type $meta_key Expect Slashed
     693 * @param unknown_type $meta_value Expect Slashed
    695694 * @return unknown
    696695 */
     
    699698
    700699    $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
     700
     701    $meta_key = stripslashes($meta_key);
    701702
    702703    if ( in_array($meta_key, $protected) )
  • trunk/wp-admin/includes/template.php

    r13455 r13489  
    24512451
    24522452    foreach ( $keys as $key ) {
    2453         $key = esc_attr( $key );
    2454         echo "\n<option value='" . esc_attr($key) . "'>$key</option>";
     2453        echo "\n<option value='" . esc_attr($key) . "'>" . esc_html($key) . "</option>";
    24552454    }
    24562455?>
     
    32903289                <label class="screen-reader-text" for="find-posts-input"><?php _e( 'Search' ); ?></label>
    32913290                <input type="text" id="find-posts-input" name="ps" value="" />
    3292                 <input type="button" onClick="findPosts.send();" value="<?php esc_attr_e( 'Search' ); ?>" class="button" /><br />
     3291                <input type="button" onclick="findPosts.send();" value="<?php esc_attr_e( 'Search' ); ?>" class="button" /><br />
    32933292
    32943293                <input type="radio" name="find-posts-what" id="find-posts-posts" checked="checked" value="posts" />
     
    33003299        </div>
    33013300        <div class="find-box-buttons">
    3302             <input type="button" class="button alignleft" onClick="findPosts.close();" value="<?php esc_attr_e('Close'); ?>" />
     3301            <input type="button" class="button alignleft" onclick="findPosts.close();" value="<?php esc_attr_e('Close'); ?>" />
    33033302            <input id="find-posts-submit" type="submit" class="button-primary alignright" value="<?php esc_attr_e('Select'); ?>" />
    33043303        </div>
Note: See TracChangeset for help on using the changeset viewer.